Telecommunications network security consists of policies adopted by network administrators to protect the network and the network-accessible resources from unauthorized access. A policy is a combination of rules and services, where the rules define the criteria for access and usage of resources. A “telecommunications network policy rule” is a direction that governs the operation of one or more security devices (implemented in hardware and/or software) in a telecommunications network, such as firewalls, anti-virus software, and others. Exemplary rules include: “do not store executable files on a hard drive”, “block all network traffic to and from port 23”, “do not place application A in the same security perimeter with application B”, “do not forward executable files to application A,” etc. Such policy rules are specified by network administrators, and implemented by firewalls, anti-virus programs, and other similar services.
FIG. 1 depicts an example of a telecommunications system as is known in the prior art. Secure Network 110 is an enterprise network. Network 110 is separated from the Internet (i.e. network 130) by firewall 120.
Firewall 120 is software and hardware that is designed to block unauthorized access while permitting authorized communications. It is a device configured to permit, deny, encrypt, and decrypt traffic from network 130 to network 110. Firewall 120 fulfills its function by examining the traffic between network 130 and network 110 and blocking traffic that violates one or more policy rules. In this example, firewall 120 is configured to prevent telnet traffic between secure network 110 and network 130.
FIG. 2 depicts the internal organization of secure network 110. Secure network 110 comprises a low-security perimeter and high-security perimeter. The two perimeters are separated by firewall 220. Nodes 210-1, 210-2, and 210-3 are located in the high security perimeter. Nodes 230-1, 230-2, and 230-3 belong to the low-security perimeter.
A node is a physical computer machine that is executing a server. Servers are software applications that provide access to data and other computer resources remotely. An example of a server is a web server which provides access to web page content. As used in this application, the word “server” refers only to software that is executing on a physical computer machine (or node).
A telecommunication network is usually comprised of a plurality of servers which can have varying functions. Some servers can be more prone to become infected with computer viruses than others. For example, a large portion of all computer viruses spread via email, and, consequently, email servers are considered more likely to become a conduit through which computer viruses enter a telecommunications network.
Additionally, some servers are deemed more critical to the utility of a telecommunications network. For example, a server that manages a company's accounting system is much more critical than an email server. The loss of accounting records can be costly and have negative consequences for the company's well-being. Placing such mission-critical servers in different network security perimeters prevents computer viruses from entering the network through vulnerable servers, such as the email server, and spreading to the likes of the accounting server.
Secure network 110, is an example of a network which separates servers by placing them in different perimeters. As FIG. 2 depicts, nodes 210-1, 210-2, and 210-3 form part of a high-security perimeter. And nodes 230-1, 230-2, and 230-3 belong to a low-security perimeter. The two perimeters are separated by firewall 220.
Firewall 220 prevents viruses from propagating to the nodes in the high security perimeter. Just like firewall 120, firewall 220 is software and hardware that is designed to block unauthorized access while permitting authorized communications. It is a device configured to permit, deny, encrypt, and decrypt network traffic. However, unlike firewall 120, firewall 220 is configured to implement more stringent network policies than firewall 120. One such policy rule is “do not allow transfer of executable files.” If a computer virus crosses firewall 120, the executable file that carries the virus will be blocked from propagating into the high-security perimeter by firewall 220.
When multiple servers are executed in a physical computer machine, the maintenance of security perimeters becomes complicated. A technique known as virtualization is commonly used to run multiple servers (a.k.a. virtual servers) on the same physical computer machine. When virtualization is used in a network, the boundaries between different security perimeters become blurred and a potential for introducing security vulnerabilities is created.
FIG. 3 depicts the salient components of a node that uses virtualization. The node (i.e. Node 300) comprises hardware 310, virtualization layer 320, system software 330, system software 340, accounting server 332, and email server 342.
Hardware 310 is the electronic components that comprise node 310 (e.g. processor, memory, network adapter, etc.).
Virtualization Layer 320 is the main device through which virtualization is achieved. Virtualization layer 320 is a software layer that facilitates the sharing of the resources of hardware 310 by multiple system software instances. In particular, system software 330 and 340 are two different operating system instances that are concurrently executed by node 300. System software 330 executes an accounting server, and system software 340 executes an email server. The running of each server inside a separate operating system allows node 300 to achieve a degree of separation between the servers. This separation furthers network security and makes using virtualization a better option than running two servers inside the same operating system.
Nevertheless, using server virtualization can introduce security vulnerabilities to a network. As previously noted, it is desirable to keep email servers and accounting servers in separate security perimeters. The reason for the separation is that email servers, in general, are more prone to become infected, while accounting servers, because of their importance, should be kept as secure as possible.
When virtualization is used, as FIG. 3 illustrates, two applications that belong in different security perimeters may wind up executing on the same physical computer machine. Thus, it is possible for a computer virus to enter node 300 through email server 342, spread into virtualization layer 420, and infect accounting server 332 from there. In contrast, in the example of FIG. 2, the nodes do not use virtualization and each server executes on a separate physical computer machine. For this reason, in FIG. 2, the accounting server is completely separated from the email server, and, therefore, a virus cannot infect the accounting server without crossing a security device, such as firewall 220, first.
The relevance of the vulnerabilities introduced by virtualization can be understood through the concept of server migration. Server migration is the act of transferring one server from one physical computer machine to another physical computer machine. When a server is migrated, one or more files associated with the server are copied, a new operating system instance is started, and one or more of the copied files are executed within the new operating system instance.
FIG. 4 depicts an example of server migration. FIG. 4 depicts node 410 and node 420. Node 410 executes concurrently three servers: inventory server 432, employee information server 442, and accounting server 452. Node 420, in contrast, executes only email server 462. Each server is executing inside a separate system software instance.
At time=t0, node 410 is overwhelmed by having to run three severs, while node 420 is underutilized. For this reason, accounting server 452 is migrated to node 410.
At time=t1, the migration of accounting server 452 is completed and nodes 410 and 420 are executing two servers each. The migration, in this example, involves three salient tasks:                i. copy one or more files associated with accounting server 452 to node 420,        ii. instantiate a new system software instance on node 420, and        iii. launch one or more of the copied files inside the new system software instance.        
As a result of the migration, network vulnerability is introduced to node 420. The vulnerability is rooted in the fact that at time t1 accounting server 452 and email server 462 are executing on the same physical machine. The vulnerability is of the same type as the one described in the discussion with respect to FIG. 3. To prevent such vulnerabilities from being created, network administrators must analyze each physical computer machine, and the servers it is running, on a case-by-case basis. The network administrators must exercise special care not to place incompatible servers on the same physical machine.
The exercise of such care is complicated by the number of server migrations which can be performed in a network over the course of a day. Server migration is frequently performed by network administrators. Servers can be migrated when a physical computer machine becomes damaged or when the load on one or more physical computer machines needs to be balanced. In sizable networks, virtual server migration is a routine task that is performed often.
Every time a virtual server is migrated from one physical computer machine to another, the possibility exists that vulnerability will be created because of human error. Therefore, the need exists for a method for increasing the security of the migration of servers that reduces the possibility of human error. Moreover, the need exists for a disciplined approach towards server migration that avoids the case-by-case analysis spoken of above.